Layer 2 Access Control Lists on EVCs

The ability to filter packets in a modular and scalable way is important for both network security and network management.
Access Control Lists (ACLs) provide the capability to filter packets at a fine granularity. In Metro Ethernet networks, ACLs
are directly applied on Ethernet virtual circuits (EVCs).

Layer 2 Access Control Lists on EVCs is a security feature that allows packet filtering based on MAC addresses. This module
describes how to implement ACLs on EVCs.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information,
see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module,
and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Layer 2 Access Control Lists on EVCs

Knowledge of how service instances must be configured.

Knowledge of extended MAC ACLs and how they must be configured.

Restrictions for Layer 2
Access Control Lists on EVCs

A maximum of 16512 access control entries (ACEs) are allowed for a given ACL, with the limitation that it does not exceed the maximum tcam entries.

Only 256 different or unique Layer 2 ACLs can be configured on a line card. (More than 256 ACLs can be configured on a router and it depends on the number of TCAM that is free for programming these ACLs.)

L2 ACL is supported over port channel with Normal EFPs.

Egress L2 ACL on EVC is not supported.

L2 ACLs are not supported on Trunk EFP.

L2 ACL counters are not supported.

Layer2 ACL can be applied on layer 2 frame without IPv4 or IPv6 header as layer 2 ACL does not support filter on IPv4 or IPv6
traffic.

Information About Layer 2 Access Control Lists on EVCs

EVCs

An Ethernet virtual circuit (EVC) as defined by the Metro Ethernet Forum is a port-level point-to-point or multipoint-to-multipoint
Layer 2 circuit. It is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider
to a customer. An EVC contains the different parameters on which the service is being offered. A service instance is the instantiation
of an EVC on a specified port.

Service instances are configured under a port channel. The traffic carried by the service instance is load balanced across
member links. Service instances under a port channel are grouped and each group is associated with one member link. Ingress
traffic for a single EVC can arrive on any member of the bundle. All egress traffic for a service instance uses only one of
the member links. Load balancing is achieved by grouping service instances and assigning them to a member link.

Ethernet virtual connection services (EVCS) uses the EVCs and service instances to provide Layer 2 switched Ethernet services.
EVC status can be used by a customer edge (CE) device either to find an alternative path to the service provider network or
in some cases, to fall back to a backup path over Ethernet or over another alternative service such as ATM.

For information about the Metro Ethernet Forum standards, see the Standards table in the “Additional References” section.

Relationship Between ACLs and Ethernet Infrastructure

The following points capture the relationship between ACLs and Ethernet Infrastructure (EI):

ACLs can be directly applied on an EVC using the command-line interface (CLI). An ACL is applied to a service instance, which
is the instantiation of an EVC on a given port.

One ACL can be applied to more than one service instance at any time.

One service instance can have one ACL at most applied to it at any time. If a Layer 2 ACL is applied to a service instance
that already has a Layer 2 ACL, the new one replaces the old one.

Only named ACLs can be applied to service instances. The command syntax ACLs is retained; the mac access-list extended command is used to create an ACL.

The show ethernet service instance id idinterface typenumberdetail show ethernet service instance command can be used to provide details about ACLs on service instances.

Standards

Standard

Title

MEF 6.1

Metro Ethernet Services Definitions Phase 2 (PDF 6/08)

MEF 10.1

Ethernet Services Attributes Phase 2 (PDF 10/06)

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use
these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products
and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

Feature Information for Layer 2 Access Control Lists on EVCs

The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 2. Feature Information for Layer 2 Access Control Lists on EVCs

Feature Name

Releases

Feature Information

Layer 2 Access Control Lists on EVCs

Cisco IOS XE Release 3.6S

The Layer 2 Access Control Lists on EVCs feature introduces ACLs on EVCs.

The following commands were introduced or modified:
interface, mac access-group in ,
mac access-list extended, show ethernet service instance .